Network Security System Having a Device Profiler Communicatively Coupled to a Traffic Monitor

ABSTRACT

A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.10/456,837, filed Jun. 6, 2003, now U.S. Pat. No. 7,181,769, which: (1)claims the benefit of U.S. Provisional Application No. 60/388,078, filedJun. 11, 2002; (2) is continuation-in-part of U.S. patent applicationSer. No. 09/757,872, filed Jan. 10, 2001, now abandoned; (3) iscontinuation-in-part of U.S. patent application Ser. No. 09/757,963,filed Jan. 10, 2001, now U.S. Pat. No. 6,957,348; and (4) iscontinuation-in-part of U.S. patent application Ser. No. 09/648,211filed on Aug. 25, 2000, now U.S. Pat. No. 7,073,198. Each of theseapplications is incorporated by reference in its entirety.

BACKGROUND

This invention pertains in general to a computer network security systemand, more specifically, to profiling a network for vulnerabilities andmonitoring exploitations of those vulnerabilities.

Computer networks are vulnerable to many threats that can inflict damageresulting in significant losses. These threats can stem from a number ofsources including malicious acts, environmental hazards, hardware andsoftware failure, and user error. A goal of network security is toprotect the confidentiality, integrity, and availability of informationstored electronically in a network from these threatening sources.

Several conventional resources are available to protect a network frominformation losses. Firewalls are used to enforce a boundary between twoor more networks by filtering network traffic passing through thefirewall according to a security policy. Vulnerability detection toolsperform examinations of a network to determine weaknesses that mightallow attacks. Also, separate intrusion detection tools monitor anetwork for malicious traffic.

One problem with conventional resources is that firewalls are inadequateto fully protect a network since they traditionally only provideprotection against malicious traffic passing through the firewall. Thenetwork may still be vulnerable through entry points that do not passthrough the firewall.

Furthermore, vulnerability detection tools and intrusion detection toolsare inherently complicated to configure and typically lackinteroperability. Consequentially, security engineers need to know whattypes of attack signatures to look for, how to look for them, and how torespond to a detected attack. Vulnerability detection tools inaccuratelyassess system vulnerabilities due to limited information about thesystem. Likewise, intrusion detection tools generate many falsepositives and operate inefficiently by failing to leverage off of thelimited information gathered by the vulnerability detection tools.

Therefore, there is a need for network protection that does not sufferfrom these problems. Preferably, the solution to this need will includevulnerability detection aspects to non-invasively detect vulnerabilitiesand allow the intrusion detection aspects to leverage off of thevulnerability assessment aspects.

SUMMARY

The present invention meets these needs by identifying, monitoring, andupdating verified vulnerabilities in a network before a malicious attackon the vulnerabilities.

The system of the present invention includes a device profiler, acentralized correlation server, and at least one traffic monitorcommunicatively coupled through a network. The device profilerdetermines vulnerabilities of hosts on the network and transmits thevulnerabilities to the centralized correlation server. The centralizedcorrelation server gathers the resulting vulnerabilities and sendsattack signatures for exploits of the vulnerabilities to the trafficmonitor. The traffic monitor monitors network traffic to detect trafficmatching the attack signatures. The system periodically rescans thenetwork in order to ensure that the traffic monitor is monitoring foronly current vulnerabilities. Thus, the present invention enableseffective monitoring and reduces false positives by monitoring for onlyexploits of vulnerabilities known to currently exist on the network.

The device profiler includes a control module communicating with anidentification subsystem for identifying characteristics of a host suchas applications and/or operating systems running on the host. Ahigh-level sensor examines OSI (Open Systems Interconnection) layer 5,layer 6 and/or layer 7 aspects of the host to determine runningapplications and other characteristics of the host. A low-level sensorexamines responses to anomalous data packets sent to the host todetermine an operating system and other characteristics of the host. Inone embodiment, the low-level sensor examines OSI layer 3 and 4 aspectsof the host.

To determine potential vulnerabilities, the control module traverses atleast one vulnerability tree having nodes representative of thecharacteristics of the host, wherein each node has an associated set ofpotential vulnerabilities. The control module determines a set ofpotential vulnerabilities by summing the vulnerabilities at eachtraversed node. The control module determines whether thevulnerabilities actually exist on the host and sends a list of theverified vulnerabilities to the centralized correlation server.

The centralized correlation server, preferably coupled to the network ata centrally accessible location, includes a network profiling modulethat stores rules for identifying host characteristics and distributesthe rules to the device profiler. Additionally, the network profilingmodule stores the resulting determined vulnerabilities.

The centralized correlation server also includes a network monitoringmodule that associates the determined vulnerabilities with attacksignatures. The network monitoring module is further adapted to send theattack signatures to the traffic monitor according to a monitoringlocation. In one embodiment, the centralized correlation server receivesdetermined vulnerabilities from a plurality of device profilers andsends attack signatures to a plurality of traffic monitors distributedto locations around the network.

An event daemon module in the centralized correlation server performsactions to block malicious activity in response to detecting potentialvulnerabilities or an attack thereon. For example, the event daemonmodule configures the firewall to prevent or block an attack.

A traffic monitor monitors network traffic for attack signaturescorresponding to the determined vulnerabilities to detect maliciousactivity. In one embodiment, the traffic monitor associates attacksignatures with the specific destination (e.g., IP address and/or port)having the corresponding vulnerability. The traffic monitor does notsignal an attack unless the attack matches the attack signature of anexploit of a vulnerability and is directed to a destination known tohave the vulnerability.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a high-level block diagram illustrating a system 100 accordingto an embodiment of the present invention.

FIG. 2 is a block diagram illustrating a more detailed view of theexemplary LAN 110 of FIG. 1.

FIG. 3 is a block diagram illustrating a device profiler 165 accordingto an embodiment of the present invention.

FIG. 4 is a block diagram illustrating an example of a vulnerabilitytree 400 according to an embodiment of the present invention.

FIG. 5 is a block diagram illustrating a node 500 in the vulnerabilitytree 400 according to an embodiment of the present invention.

FIG. 6 is a block diagram illustrating a centralized correlation server175 according to an embodiment of the present invention.

FIG. 7 is a block diagram illustrating a more detailed view of thenetwork profiling module 620 of FIG. 6.

FIG. 8 is a block diagram illustrating a more detailed view of thenetwork monitoring module of FIG. 6.

FIG. 9 is a flow chart illustrating a traffic monitor 185 according toan embodiment of the present invention.

FIG. 10 is a flow chart illustrating a method of profiling a host 191 todetect potential vulnerabilities as performed by the device profiler 165according to an embodiment of the present invention.

FIG. 11 is a flow chart illustrating a method of providing networksecurity to a distributed network as performed by the centralizedcorrelation server 175 according to an embodiment of the presentinvention.

FIG. 12 is a flow chart illustrating a method of performing a set ofactions to block exposure to a vulnerability by the event daemon module820.

FIG. 13 is a flow chart illustrating a method of monitoring adistributed network as performed by the traffic monitor 185 according toan embodiment of the present invention.

The figures depict an embodiment of the present invention for purposesof illustration only. One skilled in the art will readily recognize fromthe following description that alternative embodiments of the structuresand methods illustrated herein may be employed without departing fromthe principles of the invention described herein.

DETAILED DESCRIPTION

FIG. 1 is a high-level block diagram illustrating a system 100 accordingto an embodiment of the present invention. The system 100 comprises aWAN (wide area network) 130, such as the Internet, in communication withan enterprise network 115. The WAN 130 facilitates data transfersbetween geographically dispersed network hosts, such as computers. Theconnections to the WAN 130 may be wired and/or wireless, packet and/orcircuit switched, and use network protocols such as IEEE 802.11,Ethernet, Asynchronous Transfer Mode, or the like. In a packet-basednetwork, a communications protocol, such as TCP/IP (Transmission ControlProtocol/Internet Protocol), encapsulates data into packets havingheaders. A packet's header contains information relating to routing,error-correction and packet identification, among other things. One ofordinary skill in the art will recognize numerous variations ofnetworking encompassed within the present invention that are notspecifically disclosed herein.

The enterprise network 115 includes a LAN 110 (Local Access Network)with hosts 191 a,b and a DMZ 120 (DeMilitarized Zone). In thisembodiment, device profilers 165 a-c are coupled to the WAN 130, the LAN110, and the DMZ 120, and a traffic monitor 185 a is coupled to therouter 140.

The LAN 110 allows hosts 191 a,b to communicate with each other and withother hosts on the DMZ 120 and WAN 130 through a firewall 150 and arouter 140. The LAN 110 may be implemented as an independent network, oras a subset of a larger network such as the WAN 130. Further embodimentsof the LAN 110 are discussed below.

The hosts 191 a,b serve as pass through points or endstations for datapackets on the WAN 130, LAN 110, or another network. The hosts 191 a,b(and other hosts described below) may be a computer, computerperipheral, telephone, or other device able to connect to a network. Thehosts have characteristics such as a network address, open ports, andsoftware executing on the host including an operating system andapplications. The hosts 191 a,b run the operating system and theoperating system runs applications, both of which may be of a certainversion and patch level. Likewise, both the operating system and theapplications are vulnerable to malicious activity. The hosts 191 a,btypically have a hard drive or other data storage module holdinginformation or other resources that can be compromised by maliciousactivity.

Applications executing on the hosts 191 a,b may include softwareprograms, firmware code, and the like. Some applications performingnetwork services run on open ports of the host 191 a,b. A port is alogical communication path that allows applications on the network tocommunicate. Individual ports on the hosts 191 a,b are identified by anumber. Certain applications typically run on certain port numbers. Forexample, an HTTP (HyperText Transport Protocol) server applicationtypically runs on port 80 of the hosts 191 a,b.

The DMZ 120 allows a host 191 c to communicate with the hosts 191 a,b onthe LAN 110 and other hosts 191 on the WAN 130 through the router 140.However, communications with the WAN 130 occur without passing throughthe firewall 150, which means that hosts on the DMZ can provide servicesutilizing network traffic that would be blocked by the firewall 150, butare also more susceptible to malicious traffic. The host 191 c interactswith the WAN 180 by running applications responsive to requests from WANhosts 191 such as HTTP, FTP (File Transfer Protocol), DNS (Domain NameSystem) and/or email servers. Additionally, the host 191 c interactswith the LAN 110 by serving as a proxy for network interactions for LANhosts 191 a,b with the WAN 130. As will be recognized by one of ordinaryskill in the art, alternative network configurations of the DMZ 120 suchas a DMZ 120 placed between the LAN 110 and the firewall 150, and a DMZ120 placed between the router 140 and the firewall 150, are alsoencompassed within the present invention.

The router 140 determines network routing paths for data packetstraveling between devices connected to the WAN 130 and the enterprisenetwork 115 based on tables of available routes and their conditions.Specifically, the router 140 forwards incoming data packets to addresseson the LAN 110 and the DMZ 120 and forwards outgoing data packets toaddresses in the WAN 130. The router 140 may be a conventional networkrouter implemented in hardware or software as an independent module, orin combination with other modules such as the firewall 150 or a switch.

The firewall 150 restricts certain network traffic according to aconfigured firewall policy to prevent or block malicious attacks on theenterprise network 115 in response to detecting a vulnerability or anattack thereon. Thus, hosts 191 a,b behind the firewall 150 may not beaccessible from the WAN 130. Under a very restrictive policy, thefirewall 150 may effectively isolate the LAN 110 from the WAN 130 byblocking all incoming and outgoing network traffic. Under a lessrestrictive policy, the firewall 150 may allow outgoing network trafficand corresponding responses from the WAN 130. In network configurationswith the DMZ 120 located behind the firewall 150 with respect to the WAN130, the policy may allow incoming requests to pass through certainports, for example, port 80 for HTTP requests. The firewall 150 may be aconventional firewall implemented in hardware or software, as anindependent module, or in combination with other modules, for example,the router 140 or a host 191.

The device profilers 165 a-c collect data about the enterprise network115 for vulnerability analyses. Preferably, the multiple deviceprofilers 165 are distributed around the enterprise network 115 atlocations that offer different perspectives of vulnerabilities. In theillustrated embodiment, the device profilers 165 a-c are connected tothe WAN 130, the LAN 110 and the DMZ 120 in order to generate a moreaccurate portrait of network vulnerabilities in comparison to a singlepoint of data collection. Further embodiments of the device profilers165 a-c are discussed below.

A centralized correlation server 175, preferably located in the DMZ 120,maintains centralized control of network security for the enterprisenetwork 115. For example, the centralized correlation server 175maintains a centralized database of potential vulnerabilities, maintainsa centralized database of actual vulnerabilities identified by thedevice profilers 165 a-c, and communicates with both device profilers165 and traffic monitors 185. Thus, the centralized correlation server175 is preferably located in the DMZ 130 or at another point in thesystem 100 where it can communicate with each device profiler 165 andtraffic monitor 185. In other embodiments, the centralized correlationserver 175 is located in the router 140 or the WAN 130. Furtherembodiments of the centralized correlation server 175 are discussedbelow.

The traffic monitor 185 a examines network traffic for exploitations ofvulnerabilities of the enterprise network 115. One or more trafficmonitors 185 are deployed in the system 100, preferably at locationswhere they can monitor most or all of the network traffic. Bycommunicating with the network security centralized correlation server175, the traffic monitor 185 a accesses vulnerability informationparticular to its location such as associated attack signatures from thecentralized correlation server 175. When an attack is identified, thetraffic monitor 185 a notifies the centralized correlation server 175,which contains a set of actions to perform in response to the attack. Inone embodiment, the traffic monitor 185 b is coupled to the WAN 130 sideof the router 140. In another embodiment, the traffic monitor 185 b iscoupled to the LAN 110 side of the router 140. Further embodiments ofthe traffic monitor 185 are discussed below.

FIG. 2 is a block diagram illustrating a more detailed view of theexemplary LAN 110 of FIG. 1. The LAN 110 includes a device profiler 165d, a traffic monitor 185 b, a subnet 1 117 a, a subnet 2 117 b, and asubnet 3 117 c, each of which is coupled to a switch 142 a.

The switch 142 a may be a conventional switch for sending networktraffic received from the router 140 to the appropriate subnet 117, andnetwork traffic received from the subnets 117 a-c to a different subnet117 or to the router 142 a.

The device profiler 165 d is placed at a location that allows it todetermine vulnerabilities of the LAN 110 from inside the firewall 150.Because the firewall 150 limits access to hosts 191 inside its purview,the ability to recognize these hosts 191 and their characteristicsdepends on from which side of the firewall 150 the assessment is made.From its location, the device profiler 165 d communicates with thesubnets 117 a-c without being affected by the access policies of thefirewall 150. Thus, the device profiler 165 d inside the firewall 150can identify vulnerabilities that may not be apparent to deviceprofilers 165 located outside of the firewall 150.

The traffic monitor 185 b is also placed at a location between thefirewall 150 and the switch 142 a that allows it to examine networktraffic for exploitations of vulnerabilities of the LAN 110. In theillustrated embodiment, the traffic monitor 185 b is coupled to the spanport of the switch 142 a so that it can examine all data packetstraveling between the LAN 110 and the WAN 130. In another embodimentpermitting examination of the same traffic, the traffic monitor 185 b iscoupled to a port on the router 140 coupled to the LAN 110. In yetanother embodiment, the traffic monitor 185 b is coupled to ports on theswitch 142 a that are coupled to the subnets 117 a-c.

In the illustrated embodiment, subnet 1 117 a includes a single host 191a. In contrast, subnet 2 117 b includes a device profiler 165 e andmultiple hosts 191 b-d coupled to a switch 142 a. The device profiler165 e within subnet 2 117 b is positioned to detect vulnerabilities onhosts 191 b-d within the subnet 117.

Subnet 3 117 c includes a device profiler 165 f, a traffic monitor 185c, and two hosts networked via a direct connection. The first host 191 eis coupled to the switch 142 a and the second host 191 f is coupled tothe first host 191 e. The device profiler 165 f is placed at a locationthat allows it to determine vulnerabilities of the host 191 f from alocation between the hosts 191 e, f unaffected by any policies otherthan the host 191 f itself. The traffic monitor 185 c is placed at alocation that allows it to monitor network traffic from a locationbetween the hosts 191 e, f.

FIG. 3 is a block diagram illustrating a device profiler 165 accordingto an embodiment of the present invention. The device profiler 165preferably comprises an I/O module 310, a control module 320, and anidentification subsystem 330. The I/O module 310 allows the deviceprofiler 165 a to communicate with other devices on the network such ashosts 191, the centralized correlation server 175, and traffic monitors185. In another embodiment, the I/O module 310 generates data packets tosend to hosts 191 according to instructions from the control module 320and/or identification subsystem 330. Depending on the embodiment, theI/O module 310 may be a network interface card or other hardware, asoftware module, or a combination of both.

The control module 320 manages the vulnerability identification processand controls the general operation of the device profiler 165. Inoperation, the control module 320 identifies hosts 191 on the networkand characteristics of the hosts 191 and use the characteristics todetermine the host's vulnerabilities. In one embodiment, the controlmodule 320 uses ping requests to identify hosts on the network and TCPconnection attempts to identify open ports of the hosts. Based on thisinformation, the control module 320 sends messages to the identificationsubsystem 330 instructing it to carry out various analyses to identifyand verify vulnerabilities of hosts 191 on the network. Ultimately, thecontrol module 320 generates and sends a list of these vulnerabilitiesto the centralized correlation server 175.

The identification subsystem 330 detects vulnerabilities in hosts 191 onthe network using identification and verification processes. Theidentification subsystem 330 includes a low-level sensor 345, ahigh-level sensor 355, and a rules database module 365. Otherembodiments have different and/or additional modules for detectingvulnerabilities than the ones described herein.

The high-level sensor 355 identifies applications and othercharacteristics of the hosts 191 by analyzing how the hosts 191 interactat the higher layers of the OSI (Open System Interconnection) stack. Forexample, telnet applications typically run on port 23. Responsive toport 23 being open, the high-level sensor 355 attempts to open a telnetsession on the port and sends a command line instruction to which thetelnet application identifies itself by name, version and/or patchlevel. One embodiment of the high-level sensor 355 analyzes layer 5,layer 6 and layer 7 OSI stack interactions. These layers respectivelycorrespond to the session layer, the presentation layer, and theapplication layer.

The low-level sensor 345 identifies operating systems running on hosts191 and/or other characteristics by sending anomalous data packets tothe hosts and analyzing the lower level OSI stack characteristics ofpackets received in response. In one embodiment, the low-level sensoranalyzes the layer 3 and 4 characteristics. Layer 3 corresponds to thenetwork layer and layer 4 corresponds to the transport layer of the OSIstack. The low-level sensor 345 generates and sends data packets basedon a set of rules. The rules and packets are designed to generate aresponse from a host 191 that provides information about the operatingsystem or other characteristics of the host 191.

In one embodiment, the data packets are anomalous data packets relativeto normal data packets that conform to standards. For example, normalpackets may adhere to RFC (Request For Comment) protocols promulgated bythe Internet Engineering Task Force. The host 191 typically responds tonormal data packets with normal responses. By contrast, the host 191 mayhave unique responses to anomalous data packets deviating from the RFCstandard. The response can be compared to operating system fingerprints,or templates of known responses, to identify the operating system,version and/or patch level. In one embodiment, the low-level sensor 345follows-up one or a set of data packets with another or another set ofdata packets based on responses to the preceding data packets. Severalillustrative responses to probes are set forth in U.S. patentapplication Ser. No. 09/648,211.

The rules database module 365 holds rules utilized by the control module320, the low-level sensor 345, and the high-level sensor 355 to identifycharacteristics of the hosts 191. These rules include control logic foroperating the high- 355 and low-level 345 sensors to determine thehost's characteristics. In one embodiment, the rules database module 365also stores potential vulnerabilities of hosts in one or more tree-likedata structures, referred to as “vulnerability trees” 400 (e.g., anapplication vulnerability tree and an operating system vulnerabilitytree). The control module 320 is adapted to fire rules in the rulesdatabase module 365 that use the high- 355 and/or low-level sensors 345to determine the host's characteristics and use these characteristics totraverse the vulnerability tree 400 and identify potentialvulnerabilities at each host 191. In one embodiment, the rules databasemodule 365 also stores rules to verify the potential vulnerabilities.The rules database module 365 is preferably configured to receiveoccasional rule updates from the centralized correlation server 175.

FIG. 4 is a block diagram illustrating an example of a vulnerabilitytree 400 according to an embodiment of the present invention. Ingeneral, a vulnerability tree 400 has multiple nodes arranged in a treestructure, such that there is a root node and multiple child nodes.Intermediate nodes in the tree have a parent node and a descendant node,and can also have one or more peer nodes at an equal depth from the rootnode. Each node represents a characteristic of the host, and the nodesare arranged so that each child node represents a more specificidentification of the characteristic than the node's parent. Inaddition, each node also identifies a set of vulnerabilities that a hosthaving the characteristic represented by the node might possess. Todetermine potential vulnerabilities of a host, the control module 320traverses the nodes of the vulnerability tree and identifies the lowestlevel (i.e., farthest descendant from the root) node corresponding tothe characteristics of the host. The potential vulnerabilities of thehost are the sum of the vulnerabilities of the lowest node and itsparent nodes. The rules database module 365 may hold multiplevulnerability trees applicable to the hosts 191 on the network 115. Inone embodiment, there is a vulnerability tree for potential applicationsrunning on a host and another vulnerability tree for potential operatingsystems running on the host. Other embodiments can have other types ofvulnerability trees and/or other arrangements of vulnerability data.

The illustrated vulnerability tree 400 stores vulnerabilities associatedwith particular applications executing on a host 191. Each node isassociated with an application, application version and/or patch versionand has an associated list of zero or more vulnerabilities that might bepossessed by the host 191 executing the application. A child node (e.g.,node 424 is child node of node 414) represents a more specificidentification of the application, such as a specific type, versionand/or patch level and has a list of zero or more vulnerabilities uniqueto that node. As such, the total list of vulnerabilities that a givenapplication may possess is determined by identifying the applicablelowest-level child node and summing that node's vulnerability list withthe vulnerability lists of any parent nodes.

The exemplary vulnerability tree of FIG. 4 has four levels and is usedto identify vulnerabilities associated with the application running onan open port of the host 191. The top level is an application type level410 and has separate nodes for FTP, HTTP, and Telnet. The next level isan application level 420. In this example, the vulnerability tree isexpanded for the HTTP application type 414. Thus, the applications levelhas two nodes corresponding to specific HTTP applications, namely Apache422 and IIS (Internet Information Server) 424. The next level is aversion level 430, which in this example includes nodes for versions 1.0432, 2.0 434 and 3.0 436 of IIS. The next level is the patch level 440and it includes nodes for the possible patch levels of the applicationversions. In this example, the vulnerability tree includes Service Pack1 and Service Pack 2 patch level nodes 442, 444.

FIG. 5 is a block diagram illustrating an example of a node 500 in avulnerability tree 400. The node 500 of FIG. 5 is for an applicationvulnerability tree. Nodes in other types of vulnerability trees candiffer from the one described herein. The application node 500 includesnode application detection rules 510, zero or more node vulnerabilities520, and an optional node operating system weight 530.

The node application detection rules 510 are rules used by the controlmodule 320 to determine whether the host 191 has the characteristicsrepresented by the node. These rules 510 contain deterministic logicsuch as Boolean conditions that are applied against the characteristicsof the host 191 as measured by the high- 355 and/or low-level 345sensors. A rule is satisfied if the host has the characteristicdescribed by the rule. In one embodiment, each application detectionrule has a weight. The weight represents the probability that a hostsatisfying the rule has the characteristic represented by the node. Forexample, a highly-dispositive rule has a large weight while a lessdispositive rule has a smaller weight. The weight for a node is the sumof the weights of its satisfied rules.

In one embodiment, the control module 320 traverses the applicationvulnerability tree by evaluating the application detection rules of theone or more child nodes from its present position in the tree andthereby generating a weight for each child node. The control module 320traverses to the child node having the highest weight. In oneembodiment, if none of the weights of the child nodes exceed athreshold, the control module 320 implements a searching procedure todetermine if it has incorrectly traversed the tree.

This technique allows the control module 320 to detect applicationsexecuting on non-standard ports. For example, if an email application isexecuting on the port normally used for web servers, the control modulemight initially traverse down the portion of the application tree 400for identifying characteristics of web servers. At some point, many ofthe characteristics described by the nodes would not apply to the host191 due to the application being an email application instead of a webserver, causing the weights of the child nodes to fall below thethreshold. At this point, the control module 320 searches other portionsof the application tree (and/or evaluates nodes of other vulnerabilitytrees) in order to identify nodes that better represent the host's 191characteristics.

The node vulnerabilities 520, if there are any associated with a node,are vulnerabilities that a host 191 having the characteristicsrepresented by the node might possess. In one embodiment, thevulnerabilities 520 of a node are the vulnerabilities unique to thespecific characteristic represented by the node. In this embodiment,therefore, the total vulnerabilities of the host (for a given tree) isthe sum of the lowest child node and its parent nodes. In otherembodiments, the node vulnerabilities are stored in differentrepresentations.

The operating system weight 530, if any, indicates the probability thata host 191 having the node characteristic is also running a certainoperating system. In one embodiment, the operating system weight 520indicates a particular node in the operating system vulnerability treeand a weight to add to that node. Nodes representing characteristicsthat are compatible with a single operating system (e.g., IIS is onlycompatible with Windows) have a relatively high operating system weight530 because presence of the characteristic is highly correlative topresence of the operating system and vice-versa.

The vulnerability tree for operating systems is similar to theapplication vulnerability tree 400 described above. For example, a toplevel of the tree can represent an operating system family (e.g., Unix,Windows, and MacOS) and descending levels can represent specificoperating systems in each family (e.g., specific to Widows is XP, NT,2000), operating system versions (e.g., specific to NT is 3.5 and 4.0),and patch levels (specific to 3.5 is Service Pack 1 and Service Pack 2).

FIG. 6 is a block diagram illustrating a centralized correlation server175 according to an embodiment of the present invention. The centralizedcorrelation server 175 comprises an I/O module 610, a network profilingmodule 620, and a monitoring module 530.

The I/O module 610 allows the centralized correlation server 175 tocommunicate with other devices on the network such as the deviceprofilers 165 and the traffic monitors 185. In one embodiment the I/Omodule 610 provides I/O functionality to a user through a userinterface. The user may, for example, manipulate the configurationinformation or receive messages from the centralized correlation server175 regarding the operation and status of the system 100. Depending onthe embodiment, the I/O module 610 may be a network interface card orother hardware, a software module, or a combination of both.

The network profiling module 620 stores the information used by deviceprofilers 165 to identify vulnerabilities and also stores thevulnerabilities of the system 100 detected by the device profilers 165.In one embodiment, the network profiling module 620 generates anabstract view of the configuration of the enterprise network 115 fromthe information collected from the individual device profilers 191.Advantageously, the network profiling module 620 leverages fromindividual data points to provide improved network security services.

The network monitoring module 630 stores the information used by thetraffic monitors 185 to monitor network traffic for attacks onidentified vulnerabilities and also stores attack signatures correlatingto vulnerabilities of the system 100. In one embodiment, the networkingmonitoring module 530 sends each traffic monitor 185 the attacksignatures for all of the vulnerabilities in the system 100. In oneembodiment, the network monitoring module 630 sends traffic monitors 185attack signatures for only vulnerabilities of hosts 191 accessible tothe traffic monitored by the traffic monitor 185.

FIG. 7 is a block diagram illustrating a more detailed view of thenetwork profiling module 620 of FIG. 6. The network profiling module 620comprises a low-level sensor rules database 610, a high-level sensorrules database 620, a vulnerability rules database 730, and anidentified vulnerabilities module 740. In some embodiments, some or allof these databases can be combined. Advantageously, the rules are storedin a central location for updates, which can then be distributeddownstream to the device profilers 165.

The high-level sensor rules database 710 stores rules used by thehigh-level sensors 355 of device profilers 365 to identify applicationsexecuting on hosts 191 and other characteristics of the hosts 191. Thehigh-level sensor rules database 710 holds rules for sending data to thehost 191 that will identify characteristics of the host 191 whenanalyzed at layers 5-7. For example, a telnet application may responddirectly to an inquiry for self-identification.

The low-level sensor rules database 720 stores rules used by thelow-level sensors 345 of the device profilers 165 for identifyingoperating systems or other characteristics of the hosts 191. These rulesinclude information for generating anomalous data packets and analyzingthe responses to the packets received from the hosts 191 in order toidentify operating systems and applications on the host 191.

The vulnerability rules database 730 stores rules used by the controlmodule 320 to identify and verify potential vulnerabilities at thedevice profilers 165. These rules include the vulnerability trees andrules for using the sensors to traverse the trees, as well as rules forusing the sensors to verify the presence of the specific vulnerabilitiesidentified by the trees. The identified vulnerabilities module 740stores data describing the vulnerabilities of hosts 191 on the networkidentified by the device profilers 165.

FIG. 8 is a block diagram illustrating a more detailed view of thenetwork monitoring module 630 of FIG. 6. The network monitoring module630 comprises an attack signatures module 810 and an event daemon module820.

The attack signatures module 810 stores attack signatures foridentifying network traffic indicative of attacks exploitingvulnerabilities of hosts 191 on the network. The attack signatures maybe logical rules tested against network traffic. The attack signaturesmodule 810 is configured to generate a subset of attack signaturescorresponding to vulnerabilities identified by the device profilers 165and send the attack signatures to the traffic monitors 185 in the system100. In one embodiment, the attack signatures are sent to trafficmonitors 185 based on their locations in the system 100.

The event daemon module 820 performs a set of actions to block a host'sexposure to its vulnerabilities. In one embodiment the event daemonmodule 820 responds to a notification of vulnerabilities from the deviceprofiler 165. In another embodiment, the event daemon module 820responds to a notification of a real-time attack from the trafficmonitor 185. The blocking actions may include configuring a firewall tohalt communication between the enterprise network 115 and the WAN 130,closing open ports on the host 191, and/or preventing the operatingsystems and/or applications from executing programs.

The event daemon module 820 may also send an alert to a networkadministrator or log the attack. In another embodiment, the event daemonmodule 820 logs attacks. New information may be compared to previousinformation in identifying multi-faceted attacks to the enterprisenetwork 115. In still another embodiment, the event daemon 720 sends amessage to the user indicating the type and location of an attack.

FIG. 9 is a block diagram illustrating an embodiment of the trafficmonitor 185 according to the present invention. The traffic monitorcomprises an I/O module 910, an attack signatures module 920, a ruleparsing module 830, and a traffic sniffing module 840.

The I/O module 910 allows the traffic monitor 185 to communicate withother devices on the network such as the centralized correlation server175. In implementation, the I/O module 910 may be a network interfacecard or other hardware, a software module, or a combination of both.

The attack signatures module 920 stores attack signatures received fromthe centralized correlation server 175. In one embodiment, the attacksignatures module 810 generates subsets of attack signatures valid foreach potential destination of traffic monitored by the traffic monitor185. For example, one subset contains attack signatures valid for aparticular IP address and port number. The subset contains the attacksignatures of exploits attacking the vulnerabilities known to be presentat that specific IP address and port.

The traffic sniffing module 840 monitors network traffic to detecttraffic corresponding to attack signatures in the attack signaturesmodule 920. The traffic sniffing module 840 analyzes network traffic toidentify patterns matching the attack signatures. Preferably, thetraffic sniffing module 840 uses the subsets of attack signatures tomonitor for only exploits of vulnerabilities present at the destinationof the traffic. Thus, the traffic sniffing module 840 will ignore anattack signature directed to a destination (e.g., IP address and/orport) that is not vulnerable to the exploit. Additionally, the trafficsniffing module 930 is configured to send a notification message to thecentralized correlation server 175 in response to detecting an attacksignature.

FIG. 10 is a flow chart illustrating a method of profiling a host 191 todetect potential vulnerabilities as performed by the device profiler 165according to an embodiment of the present invention. The control module320 identifies 1010 hosts on the enterprise network 115 by periodicallytesting for responses over a range of addresses available in thenetwork, for example, by sending ping requests to each address. In oneembodiment, the centralized correlation server 175 notifies deviceprofilers 165 of known hosts on the enterprise network 115. The controlmodule 320 identifies 1020 open ports on the host 191 by periodicallyport scanning the host 191, for example, by sending TCP connectionrequests to each port.

The control module 320 identifies 1030 an application running on an openport by using the high and/or low-level 355, 345 sensors to traverse thenodes of the application vulnerability tree. As part of this process,the control module 320 uses the operating system weights of traversednodes to identify a starting point in the operating system tree (e.g.,the node having the highest weight value). This starting point istypically one to two levels below the root node of the tree. The controlmodule 320 uses the high and/or low-level 355, 345 sensors to traversethe operating system tree from the starting point to identify 1040 anoperating system running on the host 191. The control module 320identifies 1050 the total set of vulnerabilities for the host 191 fromthe vulnerability trees. Next, the control module 320 uses the sensors345, 355 to verify 1060 the existence of the vulnerabilities on the host191.

The method 1000 is iterative 1095, so the device profiler 165 isscanning constantly or at intervals according to the above process. Inanother embodiment, the method 1000 is repeated in response to a changein a host 191, the network configuration, or otherwise.

FIG. 11 is a flow chart illustrating a method of providing distributedsecurity in a network as performed by the centralized correlation server175 according to an embodiment of the present invention. The centralizedcorrelation server 175 receives 1110 verified vulnerabilities andlocations of device profilers 165 in the system 100 stores them in theidentified vulnerabilities module 740.

In preparing information for distribution, the attack signatures module810 associates 1120 verified vulnerabilities with attack signatures usedto monitor for attacks on the vulnerabilities. The centralizedcorrelation server 175 receives 1130 locations of traffic monitors 185on the system 100. Next, the centralized correlation server 175 sends1140 the attack signatures for the verified vulnerabilities to thetraffic monitors 185 based on the traffic monitors' 185 locations.

The centralized correlation server 175 repeats the discussed steps 1110,1120, 1130, 1140 to update attack signatures at relevant trafficmonitors.

FIG. 12 is a flow chart illustrating a method of performing a set ofactions to block exposure to a vulnerability by the event daemon module820. In response to receiving 1210 a notification related tovulnerabilities sent by the device profiler 165, the event daemon module820 performs a set of actions such as configuring 1220 the firewall 150to prevent the attack. The notification may be sent directly by thedevice profiler 165, or indirectly such as from the identifiedvulnerability module 740. In one embodiment, the notification is sent toblock vulnerabilities that have a high probability of being attacked, orthat have a high consequence as a result of being attacked.

In response to receiving 1230 notification of malicious activity from atraffic monitor 185, the centralized correlation server 175 performs aset of actions such as configuring the firewall 150 in real-time toblock the attack. The event daemon module 820 may also send 1250 analert to a network administrator or log the attack.

FIG. 13 is a flow chart illustrating a method of monitoring adistributed network as performed by the traffic monitor 185 according toan embodiment of the present invention. The traffic monitor 185 sends1310 a network location to the centralized correlation server 175. Thecentralized correlation server 175 returns 1320 attack signaturespreferably derived at least in part from device profiler's 165 locationor likelihood to examine network traffic containing a specific attacksignature.

The traffic monitor 185 analyzes 1330 network traffic for attacksignatures. In one embodiment, the traffic monitor 185 determines thedestination (e.g., IP address and/or port number) of the traffic,determines the attack signatures associated with that destination, andindicates an attack if the network traffic matches an associated attacksignature. In response to detecting malicious activity 1350, the trafficmonitor 185 notifies 1240 the event daemon module 820 in the centralizedcorrelation server 175. Otherwise, the traffic monitor 185 constantlyexamines network traffic.

In summary, the system 100 is configured pre-incident to an attack onvulnerabilities present on the hosts 191. Accordingly, the trafficmonitors 185 and the firewall 150 more effectively and efficientlyprotect the hosts 191 from malicious activity by leveraging off ofinformation collected from device profilers 165 through the centralizedcorrelation server 175. Additionally, the system configuration isconstantly updated to reflect changes inside the network and additionalthreats from the outside.

The above description is included to illustrate the operation of thepreferred embodiments and is not meant to limit the scope of theinvention. The scope of the invention is to be limited only by thefollowing claims. From the above discussion, many variations will beapparent to one of ordinary skill in the art that would yet beencompassed by the spirit and scope of the invention.

1. A method for providing security to a plurality of hosts on a network,the method comprising: storing potential vulnerabilities of the hosts ina tree-structured vulnerability tree having nodes representative ofcharacteristics of the host and a set of potential vulnerabilitiesassociated with ones of the nodes; evaluating responses of a host of theplurality of hosts to data packets sent over the network to determinecharacteristics of the host; traversing the tree-structuredvulnerability tree responsive to the determined characteristics todetermine vulnerabilities of the host; and providing the determinedvulnerabilities of the host to a traffic monitor, the traffic monitorconfigured to monitor the network for traffic indicative of attacksexploiting one or more of the determined vulnerabilities of the host. 2.The method of claim 1, further comprising: storing the determinedvulnerabilities at a location on the network centrally accessible toevaluating and monitoring hosts for vulnerabilities; and identifyingattack signatures of network traffic indicating attacks exploiting thedetermined vulnerabilities of the host, wherein the traffic monitor isconfigured to monitor the network traffic for the attack signatures at amonitoring location having access to the centrally accessible location.3. The method of claim 1, wherein the evaluating comprises sendinganomalous data packets to the host.
 4. The method of claim 3, whereinthe determining comprises analyzing responses of the host to theanomalous data packets with respect to at least one of layer 3 or layer4 of the Open Systems Interconnection model to determine characteristicsof the host.
 5. The method of claim 3, wherein the determinedcharacteristics comprise an operating system version and patch level ofthe host.
 6. The method of claim 1, wherein the evaluating comprisesdetermining the host's characteristics based on analyzing the host'sresponses to data packets with respect to at least one of layer 5, layer6 or layer 7 of the Open Systems Interconnection model.
 7. The method ofclaim 6, wherein the determined characteristics comprise an applicationversion and patch level executing on the host.
 8. The method of claim 1,wherein the traffic monitor is configured to monitor only for determinedvulnerabilities exploitable from a monitoring location on the network.9. The method of claim 1, further comprising: updating the determinedvulnerabilities based on detecting updated characteristics.
 10. Themethod of claim 1, wherein the traffic monitor is configured toselectively restrict network traffic to the host responsive to receivinga notification related to one of the determined vulnerabilities.
 11. Acomputer program product for providing security to a plurality of hostson a network, the computer program product comprising computer programcode embodied on a computer-readable medium, the computer program codefor: storing potential vulnerabilities of the hosts in a tree-structuredvulnerability tree having nodes representative of characteristics of thehost and a set of potential vulnerabilities associated with ones of thenodes; evaluating responses of a host of the plurality of hosts to datapackets sent over the network to determine characteristics of the host;traversing the tree-structured vulnerability tree responsive to thedetermined characteristics to determine vulnerabilities of the host; andproviding the determined vulnerabilities of the host to a trafficmonitor, the traffic monitor configured to monitor the network fortraffic indicative of attacks exploiting one or more of the determinedvulnerabilities of the host.
 12. The computer program product of claim11, further comprising computer program code for: storing the determinedvulnerabilities at a location on the network centrally accessible toevaluating and monitoring hosts for vulnerabilities; and identifyingattack signatures of network traffic indicating attacks exploiting thedetermined vulnerabilities of the host, wherein the traffic monitor isconfigured to monitor the network traffic for the attack signatures at amonitoring location having access to the centrally accessible location.13. The computer program product of claim 11, wherein the evaluatingcomprises sending anomalous data packets to the host.
 14. The computerprogram product of claim 13, wherein the determining comprises analyzingresponses of the host to the anomalous data packets with respect to atleast one of layer 3 or layer 4 of the Open Systems Interconnectionmodel to determine characteristics of the host.
 15. The computer programproduct of claim 13, wherein the determined characteristics comprise anoperating system version and patch level of the host.
 16. The computerprogram product of claim 11, wherein the evaluating comprisesdetermining the host's characteristics based on analyzing the host'sresponses to data packets with respect to at least one of layer 5, layer6 or layer 7 of the Open Systems Interconnection model.
 17. The computerprogram product of claim 16, wherein the determined characteristicscomprise an application version and patch level executing on the host.18. The computer program product of claim 11, wherein the trafficmonitor is configured to monitor only for determined vulnerabilitiesexploitable from a monitoring location on the network.
 19. The computerprogram product of claim 11, further comprising computer program codefor: updating the determined vulnerabilities based on detecting updatedcharacteristics.
 20. The computer program product of claim 11, whereinthe traffic monitor is configured to selectively restrict networktraffic to the host responsive to receiving a notification related toone of the determined vulnerabilities.
 21. A distributed computernetwork security system for detecting an attack on a host on a networkhaving a plurality of hosts, the system comprising: a device profilercommunicatively coupled with the network, the device profiler configuredto evaluate responses of a host of the plurality of hosts to datapackets sent over the network to determine characteristics of the host,and further configured to determine vulnerabilities of the host bytraversing the tree-structured vulnerability tree responsive to thedetermined characteristics to determine vulnerabilities of the host, thetree storing potential vulnerabilities of the hosts and having nodesrepresentative of characteristics of the host and a set of potentialvulnerabilities associated with ones of the nodes; and a traffic monitorcommunicatively coupled with the network, the traffic monitor configuredto receive the determined vulnerabilities of the host from the deviceprofiler, the traffic monitor configured to monitor the network fortraffic indicative of attacks exploiting one or more of the determinedvulnerabilities of the host.
 22. The system of claim 21, wherein: thedetermined vulnerabilities are stored at a location on the networkcentrally accessible to evaluating and monitoring hosts forvulnerabilities; the device profiler is configured to identify attacksignatures of network traffic indicating attacks exploiting thedetermined vulnerabilities of the host; and the traffic monitor isconfigured to monitor the network traffic for the attack signatures at amonitoring location having access to the centrally accessible location.23. The system of claim 21, wherein device profiler is configured toevaluate responses, at least in part, by sending anomalous data packetsto the host.
 24. The system of claim 23, wherein the device profiler isconfigured to determine characteristics of the host, at least in part,by analyzing responses of the host to the anomalous data packets withrespect to at least one of layer 3 or layer 4 of the Open SystemsInterconnection model to determine characteristics of the host.
 25. Thesystem of claim 23, wherein the determined characteristics comprise anoperating system version and patch level of the host.
 26. The system ofclaim 21, wherein device profiler is configured to evaluate responses,at least in part, by determining the host's characteristics based onanalyzing the host's responses to data packets with respect to at leastone of layer 5, layer 6 or layer 7 of the Open Systems Interconnectionmodel.
 27. The system of claim 26, wherein the determinedcharacteristics comprise an application version and patch levelexecuting on the host.
 28. The system of claim 21, wherein the trafficmonitor is configured to monitor only for determined vulnerabilitiesexploitable from a monitoring location on the network.
 29. The system ofclaim 21, wherein the device profiler is further configured to updatethe determined vulnerabilities based on detecting updatedcharacteristics.
 30. The system of claim 21, wherein the traffic monitoris configured to selectively restrict network traffic to the hostresponsive to receiving a notification related to one of the determinedvulnerabilities.